Punto informatico Network
Login Esegui login | Non sei registrato? Iscriviti ora (è gratuito!)
Username: Password:
  • Annuncio Pubblicitario

schermata blu e riavvio portatile

Un virus si è intromesso nel tuo computer? Vuoi navigare in tutta sicurezza? Sono sicure le transazione online? Come impedire a malintenzionati di intromettersi nel tuo pc? Come proteggere i tuoi dati? Qui trovi le risposte a queste ed altre domande

schermata blu e riavvio portatile

Messaggioda maux » gio dic 18, 2008 10:53 am

ciao,
sul mio portatile dotato di Windows XP professional sp3, da qualche giorno ad intervalli di tempo casuali mi compare una schermata blu per 1 secondo con riportati errori che non faccio in tempo a leggere e poi si riavvia automaticamente il pc.
Sono andato nell'event wiever e ho trovato i seguenti 3 errori:
"System error -> categoria (102)
errore 10000050, parametro1 e50b6000, parametro2 00000000, parametro3 f766c8d6, parametro4 00000001."

"All'avvio non è stato possibile caricare i seguenti driver:
gbaiqoag"

"Il servizio AutoExNT non è stato avviato per il seguente errore:
Impossibile trovare il file specificato."

Vorrei capire se è un problema di danneggiamento hardware o se si tratta di un virus....ho provato a fare una scansione completa con AVG e Malwarebyte ma non fanno a tempo a finire che si riavvia il pc a seguito della schermata blu.
Il portatile è nuovo di 4mesi, non ho mai apportato alcuna modifica Hardware. Settimana scorsa ho preso il trojan Vundo ma l'ho eliminato con successo.
la schermata blu compare anche se non sono connesso ad internet.
Vi allego il log di hijackThis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.29.41, on 17/12/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Programmi\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programmi\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programmi\Lenovo\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
C:\Programmi\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre6\bin\ssv.dll
O2 - BHO: Guida per l'accesso a Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programmi\File comuni\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Programmi\AVG\AVG8\avgtoolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programmi\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programmi\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Programmi\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programmi\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FingerPrintSoftware] "C:\Programmi\Lenovo Fingerprint Software\fpapp.exe" \s
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programmi\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Avvio veloce di Adobe Reader.lnk = C:\Programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Invia a periferica &Bluetooth... - C:\Programmi\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB0D04C2-7EFA-45A5-894E-F2E1F539D250}: NameServer = 192.168.0.1,208.67.222.222
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programmi\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Programmi\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll ehqwib.dll
O20 - Winlogon Notify: ATFUS - C:\WINDOWS\system32\FpWinLogonNp.dll
O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
O23 - Service: Fingerprint Server (FingerprintServer) - AuthenTec,Inc - C:\WINDOWS\system32\FpLogonServ.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programmi\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5743 bytes


Se vi servono altre informazioni fatemi sapere.
Grazie mille!
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo

Re: schermata blu e riavvio portatile

Messaggioda Amantide » gio dic 18, 2008 10:10 pm

Intanto rifai la scansione con Hijackthis, seleziona questa voce e premi Fix Checked:
O23 - Service: AutoExNT - Unknown owner - C:\WINDOWS\system32\AutoExNT.Exe (file missing)

Ora riavvia il pc, scarica ComboFix ed esegui la scansione seguendo queste istruzioni (giù in fondo). Al termine della scansione verrà creato il file di report C:\combofix.txt, copia qui il suo contenuto.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: schermata blu e riavvio portatile

Messaggioda maux » gio dic 18, 2008 11:26 pm

Ho seguito alla lettera le tue istruzioni ed il log di ComboFix è il seguente

ComboFix 08-12-18.01 - SilviaS 2008-12-18 23.10.43.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2046.1585 [GMT 1:00]
Eseguito da: c:\documents and settings\SilviaS\Desktop\ComboFix.exe
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!
.

((((((((((((((((((((((((( Files Creati Da 2008-11-18 al 2008-12-18 )))))))))))))))))))))))))))))))))))
.

2008-12-11 18:30 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 18:29 . 2008-12-11 18:30 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\SilviaS\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 12:08 . 2008-12-18 23:13 2,204 --a------ c:\windows\gbaiqoag
2008-11-30 18:47 . 2008-12-03 13:10 69 --a------ c:\windows\NeroDigital.ini
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2008-11-18 16:18 . 2008-04-13 19:13 221,184 --a------ c:\windows\system32\wmpns.dll
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di stampa
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> d--h----- c:\documents and settings\Administrator\Risorse di rete
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> d-------- c:\documents and settings\Administrator\Preferiti
2008-11-18 16:06 . 2008-11-08 11:14 <DIR> d--h----- c:\documents and settings\Administrator\Modelli
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> dr------- c:\documents and settings\Administrator\Menu Avvio
2008-11-18 16:06 . 2008-12-11 18:20 <DIR> d--h----- c:\documents and settings\Administrator\Impostazioni locali
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> d-------- c:\documents and settings\Administrator\Documenti
2008-11-18 16:06 . 2008-11-08 11:06 <DIR> dr-h----- c:\documents and settings\Administrator\Dati applicazioni
2008-11-18 16:06 . 2008-11-18 16:06 <DIR> d-------- c:\documents and settings\Administrator
2008-11-18 16:03 . 2008-09-07 09:46 3,072 --a------ c:\windows\system32\CRYPT.DLL

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 18:01 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2008-12-11 17:26 --------- d-----w c:\programmi\Java
2008-12-11 12:03 --------- d-----w c:\programmi\eMule
2008-11-11 21:48 --------- d-----w c:\programmi\microsoft frontpage
2008-11-10 21:59 --------- d-----w c:\programmi\Windows Media Connect 2
2008-11-10 12:47 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\AdobeUM
2008-11-09 21:51 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-09 21:43 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-09 21:38 --------- d-----w c:\programmi\Lenovo Fingerprint Software
2008-11-09 19:45 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-11-09 19:33 --------- d-----w c:\programmi\Messenger Plus! Live
2008-11-09 19:31 --------- d-----w c:\programmi\Windows Live
2008-11-09 19:30 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-11-09 19:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-11-09 19:19 --------- d-----w c:\programmi\MSBuild
2008-11-09 19:19 --------- d-----w c:\programmi\Microsoft Works
2008-11-09 19:18 --------- d-----w c:\programmi\Microsoft.NET
2008-11-09 19:17 --------- d-----w c:\programmi\Microsoft Visual Studio 8
2008-11-09 19:14 --------- d-----w c:\programmi\DAEMON Tools Lite
2008-11-09 19:12 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-09 19:12 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\DAEMON Tools
2008-11-09 19:11 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-09 19:03 --------- d-----w c:\programmi\File comuni\Ahead
2008-11-09 19:03 --------- d-----w c:\programmi\Ahead
2008-11-09 19:00 --------- d-----w c:\programmi\directx
2008-11-09 18:48 97,928 ----a-w c:\windows\system32\drivers\avgldx86.sys
2008-11-09 18:43 315,392 ----a-w c:\windows\HideWin.exe
2008-11-09 18:43 --------- d-----w c:\programmi\Realtek
2008-11-09 18:22 --------- d-----w c:\programmi\Broadcom
2008-11-09 18:21 --------- d-----w c:\programmi\Lenovo
2008-11-08 23:08 --------- d-----w c:\programmi\Intel
2008-11-08 12:13 76,040 ----a-w c:\windows\system32\drivers\avgtdix.sys
2008-11-08 12:13 --------- d-----w c:\programmi\AVG
2008-11-08 12:13 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\AVGTOOLBAR
2008-11-08 12:13 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\avg8
2008-11-08 12:12 --------- d-----w c:\programmi\DIFX
2008-11-08 10:15 --------- d-----w c:\programmi\Servizi in linea
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:14 510464 9259170d29b5a256735fcb8b80280857 c:\windows\ServicePackFiles\i386\winlogon.exe
2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\SoftwareDistribution\Download\3081fb24ce5c92103d622c497fb2b188\backup\winlogon.exe
2008-11-18 16:07 510464 90f406811ee1eee294792d00e21ca16c c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-12-11_18.19.41.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-26 07:57:14 124,928 -c----w c:\windows\ie7updates\KB958215-IE7\advpack.dll
+ 2008-08-26 07:57:14 347,136 -c----w c:\windows\ie7updates\KB958215-IE7\dxtmsft.dll
+ 2008-08-26 07:57:14 214,528 -c----w c:\windows\ie7updates\KB958215-IE7\dxtrans.dll
+ 2008-08-26 07:57:14 133,120 -c----w c:\windows\ie7updates\KB958215-IE7\extmgr.dll
+ 2008-08-26 07:57:14 63,488 -c----w c:\windows\ie7updates\KB958215-IE7\icardie.dll
+ 2008-08-25 08:39:58 70,656 -c----w c:\windows\ie7updates\KB958215-IE7\ie4uinit.exe
+ 2008-08-26 07:57:14 153,088 -c----w c:\windows\ie7updates\KB958215-IE7\ieakeng.dll
+ 2008-08-26 07:57:15 230,400 -c----w c:\windows\ie7updates\KB958215-IE7\ieaksie.dll
+ 2008-08-23 05:54:51 161,792 -c----w c:\windows\ie7updates\KB958215-IE7\ieakui.dll
+ 2008-08-26 07:57:15 383,488 -c----w c:\windows\ie7updates\KB958215-IE7\ieapfltr.dll
+ 2008-08-26 07:57:15 384,512 -c----w c:\windows\ie7updates\KB958215-IE7\iedkcs32.dll
+ 2008-10-03 16:58:43 6,066,176 -c----w c:\windows\ie7updates\KB958215-IE7\ieframe.dll
+ 2008-08-26 07:57:17 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\iernonce.dll
+ 2008-08-26 07:57:17 267,776 -c----w c:\windows\ie7updates\KB958215-IE7\iertutil.dll
+ 2008-08-25 08:38:00 13,824 -c----w c:\windows\ie7updates\KB958215-IE7\ieudinit.exe
+ 2008-08-23 05:56:15 635,848 -c----w c:\windows\ie7updates\KB958215-IE7\iexplore.exe
+ 2008-08-26 07:57:18 27,648 -c----w c:\windows\ie7updates\KB958215-IE7\jsproxy.dll
+ 2008-08-26 07:57:18 459,264 -c----w c:\windows\ie7updates\KB958215-IE7\msfeeds.dll
+ 2008-08-26 07:57:18 52,224 -c----w c:\windows\ie7updates\KB958215-IE7\msfeedsbs.dll
+ 2008-08-27 08:57:22 3,593,216 -c----w c:\windows\ie7updates\KB958215-IE7\mshtml.dll
+ 2008-08-26 07:57:20 477,696 -c----w c:\windows\ie7updates\KB958215-IE7\mshtmled.dll
+ 2008-08-26 07:57:21 193,024 -c----w c:\windows\ie7updates\KB958215-IE7\msrating.dll
+ 2008-08-26 07:57:21 671,232 -c----w c:\windows\ie7updates\KB958215-IE7\mstime.dll
+ 2008-08-26 07:57:21 102,912 -c----w c:\windows\ie7updates\KB958215-IE7\occache.dll
+ 2008-08-26 07:57:21 44,544 -c----w c:\windows\ie7updates\KB958215-IE7\pngfilt.dll
+ 2007-03-06 01:48:14 215,776 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:49:24 390,880 -c----w c:\windows\ie7updates\KB958215-IE7\spuninst\updspapi.dll
+ 2008-08-26 07:57:21 105,984 -c----w c:\windows\ie7updates\KB958215-IE7\url.dll
+ 2008-08-26 07:57:22 1,159,680 -c----w c:\windows\ie7updates\KB958215-IE7\urlmon.dll
+ 2008-08-26 07:57:22 233,472 -c----w c:\windows\ie7updates\KB958215-IE7\webcheck.dll
+ 2008-08-26 07:57:22 826,368 -c----w c:\windows\ie7updates\KB958215-IE7\wininet.dll
+ 2008-10-17 00:34:26 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:48:14 215,776 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:49:24 390,880 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-11-18 15:22:50 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-12-11 18:01:10 1,165,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\accicons.exe
- 2008-11-18 15:22:50 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-12-11 18:01:10 20,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-11-18 15:22:50 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
+ 2008-12-11 18:01:10 159,504 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\inficon.exe
- 2008-11-18 15:22:50 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
+ 2008-12-11 18:01:10 184,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\joticon.exe
- 2008-11-18 15:22:50 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
+ 2008-12-11 18:01:10 217,864 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\misc.exe
- 2008-11-18 15:22:50 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-12-11 18:01:10 18,704 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-11-18 15:22:50 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-12-11 18:01:11 35,088 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-11-18 15:22:50 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-12-11 18:01:10 845,584 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\outicon.exe
- 2008-11-18 15:22:50 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-12-11 18:01:10 922,384 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pptico.exe
- 2008-11-18 15:22:50 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-12-11 18:01:10 272,648 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\pubs.exe
- 2008-11-18 15:22:50 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-12-11 18:01:11 888,080 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-11-18 15:22:50 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-12-11 18:01:10 1,172,240 ----a-r c:\windows\Installer\{90120000-0030-0000-0000-0000000FF1CE}\xlicons.exe
- 2008-08-26 07:57:14 124,928 ----a-w c:\windows\system32\advpack.dll
+ 2008-10-16 20:04:22 124,928 ----a-w c:\windows\system32\advpack.dll
- 2008-11-11 10:48:50 410,976 ----a-w c:\windows\system32\deploytk.dll
+ 2008-11-10 04:43:30 410,984 ----a-w c:\windows\system32\deploytk.dll
- 2008-08-26 07:57:14 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
+ 2008-10-16 20:04:22 124,928 -c----w c:\windows\system32\dllcache\advpack.dll
- 2008-08-26 07:57:14 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
+ 2008-10-16 20:04:22 347,136 -c----w c:\windows\system32\dllcache\dxtmsft.dll
- 2008-08-26 07:57:14 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
+ 2008-10-16 20:04:22 214,528 -c----w c:\windows\system32\dllcache\dxtrans.dll
- 2008-08-26 07:57:14 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-16 20:04:22 133,120 -c----w c:\windows\system32\dllcache\extmgr.dll
+ 2008-10-23 12:36:14 286,720 -c----w c:\windows\system32\dllcache\gdi32.dll
- 2008-08-26 07:57:14 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
+ 2008-10-16 20:04:22 63,488 -c----w c:\windows\system32\dllcache\icardie.dll
- 2008-08-25 08:39:58 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
+ 2008-10-16 13:13:44 70,656 -c----w c:\windows\system32\dllcache\ie4uinit.exe
- 2008-08-26 07:57:14 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
+ 2008-10-16 20:04:22 153,088 -c----w c:\windows\system32\dllcache\ieakeng.dll
- 2008-08-26 07:57:15 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
+ 2008-10-16 20:04:22 230,400 -c----w c:\windows\system32\dllcache\ieaksie.dll
- 2008-08-23 05:54:51 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2008-10-15 07:04:53 161,792 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2008-08-26 07:57:15 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
+ 2008-10-16 20:04:22 383,488 -c----w c:\windows\system32\dllcache\ieapfltr.dll
- 2008-08-26 07:57:15 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
+ 2008-10-16 20:04:22 384,512 -c----w c:\windows\system32\dllcache\iedkcs32.dll
- 2008-10-03 16:58:43 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
+ 2008-10-16 20:04:23 6,066,176 -c----w c:\windows\system32\dllcache\ieframe.dll
- 2008-08-26 07:57:17 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
+ 2008-10-16 20:04:23 44,544 -c----w c:\windows\system32\dllcache\iernonce.dll
- 2008-08-26 07:57:17 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
+ 2008-10-16 20:04:23 267,776 -c----w c:\windows\system32\dllcache\iertutil.dll
- 2008-08-25 08:38:00 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 -c----w c:\windows\system32\dllcache\ieudinit.exe
- 2008-08-23 05:56:15 635,848 -c----w c:\windows\system32\dllcache\iexplore.exe
+ 2008-10-15 07:06:26 633,632 -c----w c:\windows\system32\dllcache\iexplore.exe
- 2008-08-26 07:57:18 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
+ 2008-10-16 20:04:23 27,648 -c----w c:\windows\system32\dllcache\jsproxy.dll
- 2006-10-18 19:03:58 100,864 -c----w c:\windows\system32\dllcache\logagent.exe
+ 2008-06-18 00:09:22 100,864 -c----w c:\windows\system32\dllcache\logagent.exe
- 2008-08-26 07:57:18 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
+ 2008-10-16 20:04:23 459,264 -c----w c:\windows\system32\dllcache\msfeeds.dll
- 2008-08-26 07:57:18 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
+ 2008-10-16 20:04:23 52,224 -c----w c:\windows\system32\dllcache\msfeedsbs.dll
- 2008-08-27 08:57:22 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:36:24 3,593,216 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2008-08-26 07:57:20 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
+ 2008-10-16 20:04:24 477,696 -c----w c:\windows\system32\dllcache\mshtmled.dll
- 2008-08-26 07:57:21 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
+ 2008-10-16 20:04:24 193,024 -c----w c:\windows\system32\dllcache\msrating.dll
- 2008-08-26 07:57:21 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
+ 2008-10-16 20:04:24 671,232 -c----w c:\windows\system32\dllcache\mstime.dll
- 2008-08-26 07:57:21 102,912 -c----w c:\windows\system32\dllcache\occache.dll
+ 2008-10-16 20:04:24 102,912 -c----w c:\windows\system32\dllcache\occache.dll
- 2008-08-26 07:57:21 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
+ 2008-10-16 20:04:25 44,544 -c----w c:\windows\system32\dllcache\pngfilt.dll
- 2008-04-13 18:13:56 246,814 -c----w c:\windows\system32\dllcache\strmdll.dll
+ 2008-10-03 10:02:46 247,326 -c----w c:\windows\system32\dllcache\strmdll.dll
- 2008-08-26 07:57:21 105,984 -c----w c:\windows\system32\dllcache\url.dll
+ 2008-10-16 20:04:25 105,984 -c----w c:\windows\system32\dllcache\url.dll
- 2008-08-26 07:57:22 1,159,680 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2008-10-16 20:04:25 1,160,192 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2008-08-26 07:57:22 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
+ 2008-10-16 20:04:25 233,472 -c----w c:\windows\system32\dllcache\webcheck.dll
- 2008-08-26 07:57:22 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2008-10-16 20:04:25 826,368 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2006-10-18 20:47:20 937,984 -c----w c:\windows\system32\dllcache\WMNetMgr.dll
+ 2008-06-18 04:03:08 938,496 -c----w c:\windows\system32\dllcache\WMNetmgr.dll
- 2006-10-18 20:47:22 2,450,944 -c----w c:\windows\system32\dllcache\wmvcore.dll
+ 2008-06-18 04:03:14 2,458,112 -c----w c:\windows\system32\dllcache\WMVCore.dll
- 2008-08-26 07:57:14 347,136 ----a-w c:\windows\system32\dxtmsft.dll
+ 2008-10-16 20:04:22 347,136 ----a-w c:\windows\system32\dxtmsft.dll
- 2008-08-26 07:57:14 214,528 ----a-w c:\windows\system32\dxtrans.dll
+ 2008-10-16 20:04:22 214,528 ----a-w c:\windows\system32\dxtrans.dll
- 2008-08-26 07:57:14 133,120 ----a-w c:\windows\system32\extmgr.dll
+ 2008-10-16 20:04:22 133,120 ----a-w c:\windows\system32\extmgr.dll
- 2008-04-13 18:13:40 285,184 ----a-w c:\windows\system32\gdi32.dll
+ 2008-10-23 12:36:14 286,720 ----a-w c:\windows\system32\gdi32.dll
- 2008-08-26 07:57:14 63,488 ----a-w c:\windows\system32\icardie.dll
+ 2008-10-16 20:04:22 63,488 ----a-w c:\windows\system32\icardie.dll
- 2008-08-25 08:39:58 70,656 ----a-w c:\windows\system32\ie4uinit.exe
+ 2008-10-16 13:13:44 70,656 ----a-w c:\windows\system32\ie4uinit.exe
- 2008-08-26 07:57:14 153,088 ----a-w c:\windows\system32\ieakeng.dll
+ 2008-10-16 20:04:22 153,088 ----a-w c:\windows\system32\ieakeng.dll
- 2008-08-26 07:57:15 230,400 ----a-w c:\windows\system32\ieaksie.dll
+ 2008-10-16 20:04:22 230,400 ----a-w c:\windows\system32\ieaksie.dll
- 2008-08-23 05:54:51 161,792 ----a-w c:\windows\system32\ieakui.dll
+ 2008-10-15 07:04:53 161,792 ----a-w c:\windows\system32\ieakui.dll
- 2008-08-26 07:57:15 383,488 ----a-w c:\windows\system32\ieapfltr.dll
+ 2008-10-16 20:04:22 383,488 ----a-w c:\windows\system32\ieapfltr.dll
- 2008-08-26 07:57:15 384,512 ----a-w c:\windows\system32\iedkcs32.dll
+ 2008-10-16 20:04:22 384,512 ----a-w c:\windows\system32\iedkcs32.dll
- 2008-10-03 16:58:43 6,066,176 ----a-w c:\windows\system32\ieframe.dll
+ 2008-10-16 20:04:23 6,066,176 ----a-w c:\windows\system32\ieframe.dll
- 2008-08-26 07:57:17 44,544 ----a-w c:\windows\system32\iernonce.dll
+ 2008-10-16 20:04:23 44,544 ----a-w c:\windows\system32\iernonce.dll
- 2008-08-26 07:57:17 267,776 ----a-w c:\windows\system32\iertutil.dll
+ 2008-10-16 20:04:23 267,776 ----a-w c:\windows\system32\iertutil.dll
- 2008-08-25 08:38:00 13,824 ----a-w c:\windows\system32\ieudinit.exe
+ 2008-10-16 13:11:09 13,824 ----a-w c:\windows\system32\ieudinit.exe
- 2008-11-11 10:48:51 144,792 ----a-w c:\windows\system32\java.exe
+ 2008-11-10 04:43:37 144,792 ----a-w c:\windows\system32\java.exe
- 2008-11-11 10:48:51 144,792 ----a-w c:\windows\system32\javaw.exe
+ 2008-11-10 04:43:38 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-11-11 10:48:51 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2008-11-10 04:43:39 148,888 ----a-w c:\windows\system32\javaws.exe
- 2008-08-26 07:57:18 27,648 ----a-w c:\windows\system32\jsproxy.dll
+ 2008-10-16 20:04:23 27,648 ----a-w c:\windows\system32\jsproxy.dll
- 2006-10-18 19:03:58 100,864 ----a-w c:\windows\system32\logagent.exe
+ 2008-06-18 00:09:22 100,864 ----a-w c:\windows\system32\logagent.exe
- 2008-11-04 00:10:25 17,318,336 ----a-w c:\windows\system32\MRT.exe
+ 2008-12-09 23:24:37 17,593,280 ----a-w c:\windows\system32\MRT.exe
- 2008-08-26 07:57:18 459,264 ----a-w c:\windows\system32\msfeeds.dll
+ 2008-10-16 20:04:23 459,264 ----a-w c:\windows\system32\msfeeds.dll
- 2008-08-26 07:57:18 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2008-10-16 20:04:23 52,224 ----a-w c:\windows\system32\msfeedsbs.dll
- 2008-08-27 08:57:22 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:36:24 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2008-08-26 07:57:20 477,696 ----a-w c:\windows\system32\mshtmled.dll
+ 2008-10-16 20:04:24 477,696 ----a-w c:\windows\system32\mshtmled.dll
- 2008-08-26 07:57:21 193,024 ----a-w c:\windows\system32\msrating.dll
+ 2008-10-16 20:04:24 193,024 ----a-w c:\windows\system32\msrating.dll
- 2008-08-26 07:57:21 671,232 ----a-w c:\windows\system32\mstime.dll
+ 2008-10-16 20:04:24 671,232 ----a-w c:\windows\system32\mstime.dll
- 2008-08-26 07:57:21 102,912 ----a-w c:\windows\system32\occache.dll
+ 2008-10-16 20:04:24 102,912 ----a-w c:\windows\system32\occache.dll
- 2008-12-05 11:03:33 59,774 ----a-w c:\windows\system32\perfc009.dat
+ 2008-12-18 22:10:54 59,774 ----a-w c:\windows\system32\perfc009.dat
- 2008-12-05 11:03:33 70,964 ----a-w c:\windows\system32\perfc010.dat
+ 2008-12-18 22:10:54 70,964 ----a-w c:\windows\system32\perfc010.dat
- 2008-12-05 11:03:33 395,534 ----a-w c:\windows\system32\perfh009.dat
+ 2008-12-18 22:10:54 395,534 ----a-w c:\windows\system32\perfh009.dat
- 2008-12-05 11:03:33 440,738 ----a-w c:\windows\system32\perfh010.dat
+ 2008-12-18 22:10:54 440,738 ----a-w c:\windows\system32\perfh010.dat
- 2008-08-26 07:57:21 44,544 ----a-w c:\windows\system32\pngfilt.dll
+ 2008-10-16 20:04:25 44,544 ----a-w c:\windows\system32\pngfilt.dll
- 2007-11-30 11:19:29 18,808 ------w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:40 18,808 ------w c:\windows\system32\spmsg.dll
- 2008-04-13 18:13:56 246,814 ----a-w c:\windows\system32\strmdll.dll
+ 2008-10-03 10:02:46 247,326 ----a-w c:\windows\system32\strmdll.dll
- 2008-04-13 18:14:24 60,416 ------w c:\windows\system32\tzchange.exe
+ 2008-10-23 10:06:59 62,976 ------w c:\windows\system32\tzchange.exe
- 2008-08-26 07:57:21 105,984 ----a-w c:\windows\system32\url.dll
+ 2008-10-16 20:04:25 105,984 ----a-w c:\windows\system32\url.dll
- 2008-08-26 07:57:22 1,159,680 ----a-w c:\windows\system32\urlmon.dll
+ 2008-10-16 20:04:25 1,160,192 ----a-w c:\windows\system32\urlmon.dll
- 2008-08-26 07:57:22 233,472 ----a-w c:\windows\system32\webcheck.dll
+ 2008-10-16 20:04:25 233,472 ----a-w c:\windows\system32\webcheck.dll
- 2008-08-26 07:57:22 826,368 ----a-w c:\windows\system32\wininet.dll
+ 2008-10-16 20:04:25 826,368 ----a-w c:\windows\system32\wininet.dll
- 2006-10-18 20:47:20 937,984 ----a-w c:\windows\system32\WMNetMgr.dll
+ 2008-06-18 04:03:08 938,496 ----a-w c:\windows\system32\WMNetmgr.dll
- 2006-10-18 20:47:22 2,450,944 ----a-w c:\windows\system32\wmvcore.dll
+ 2008-06-18 04:03:14 2,458,112 ----a-w c:\windows\system32\WMVCore.dll
- 2008-12-11 17:17:22 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
+ 2008-12-18 22:14:07 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7d4.dat
.
-- Snapshot per reimpostare la data corrente --
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-27 1261336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-21 7585792]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"FingerPrintSoftware"="c:\programmi\Lenovo Fingerprint Software\fpapp.exe" [2007-03-02 933888]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"nwiz"="nwiz.exe" [2007-03-21 c:\windows\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BTTray.lnk - c:\programmi\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-02-27 17:26 131072 c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll ehqwib.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2008-11-08 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2008-11-08 875288]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-08 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2008-11-08 76040]
S0 gbaiqoag;gbaiqoag;c:\windows\system32\drivers\oxugxjvi.sys []
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-01-19 61440]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-11 38496]
S4 AutoExNT;AutoExNT;c:\windows\system32\AutoExNT.Exe []
.
.
------- Supplementare di scansione -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - c:\programmi\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {AB0D04C2-7EFA-45A5-894E-F2E1F539D250} = 192.168.0.1,208.67.222.222
FF - ProfilePath - c:\documents and settings\SilviaS\Dati applicazioni\Mozilla\Firefox\Profiles\iz5bqaon.default\

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-18 23:14:50
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...


c:\windows\system32\drivers\oxugxjvi.sys 25088 bytes executable

Scansione completata con successo
Files nascosti: 1

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\ATGinaHook.dll
c:\programmi\Lenovo Fingerprint Software\ATCSSINT.DLL
c:\programmi\Lenovo Fingerprint Software\SharedResources.dll
c:\programmi\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\FpWinLogonNp.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\programmi\AVG\AVG8\avgrsx.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\Lenovo\BLUETO~1\BTSTAC~1.EXE
.
**************************************************************************
.
Ora fine scansione: 2008-12-18 23:16:59 - macchina è stato riavviato
ComboFix-quarantined-files.txt 2008-12-18 22:16:56

Pre-Run: 48.158.990.336 byte disponibili
Post-Run: 48,157,949,952 byte disponibili

386 --- E O F --- 2008-12-18 13:35:40


Prima di fare quello che mi avevi consigliato, ho disattivato il riavvio automatico in caso di errori di sistema....appena mi è comparsa la famosa scritta blu stavolta non riavviandosi me la sono segnata e riportava il seguente testo:

"Si è verificato un problema e windows è stato arrestato per impedire danni al computer.

PAGE_FAULT_IN_NONPAGED_AREA

se è la prima volta che appare la schermata di errore relativa all'arresto, riavviare il computer.
Se la schermata riappare, procedere come segue: verificare che tutto il nuovo hardware o software sia

installato correttamente. Se si tratta di una nuova installazione, richiedere al produttore dell'hardware o

del software i necessari aggiornamenti di windows.
Se il problema persiste, disattivare o riomuovere l'hardware o il software di nuova installazione.
disattivare nel bios le opzioni relative alla memoria quali cache o shadowing.
Per utilizzare la modalità provvisorio allo scopo di rimuovere o disattivare componenti, riavviare il pc,

premere f8 per selezionare le opzioni di avvio avanzate, quindi selezionare la modalità provvisoria.

Informazioni tecniche:

*** STOP: 0x00000050 (oxe348d000, 0x00000000, 0xf766c8d6,0x00000001)

Inizio creazione immagine della memoria fisica su disco
Scaricamento della memoria fisica completato
Contattare l'amministratore di sistema o il gruppo di supporto tecnico per ulteriori info"


magari ti può servire.
Grazie ancora, resto in attesa di nuove istruzioni.
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo


Re: schermata blu e riavvio portatile

Messaggioda maux » sab dic 20, 2008 12:06 pm

aggiungo che ho fatto una scansione con VundoFix ma dice che non ci sono files infetti...
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo

Re: schermata blu e riavvio portatile

Messaggioda Amantide » sab dic 20, 2008 2:23 pm

Scusa, mi era sfugita la tua risposta [acc2]

Copia ed incolla il seguente testo su blocconote e salva il file su desktop con il nome CFScript.txt.
Codice: Seleziona tutto
File::
c:\windows\gbaiqoag
C:\WINDOWS\system32\ehqwib.dll
c:\windows\system32\drivers\oxugxjvi.sys

Folder::
c:\windows\gbaiqoag

Driver::
gbaiqoag

Ora trascina il file CFScript.txt sull'icona di ComboFix. Aspetta il termine della scansione e posta il nuovo log di Combofix.

Per configurare l'esecuzione all'avvio del servizio AutoExNT:
Start>> Esegui>> digita services.msc e premi OK.
Doppio clic sul servizio AutoExNT, nel Tipo di avvio seleziona Manuale e premi OK.

Per finire fai anche la scansione completa con Malwarebytes Anti-malware e posta qui il report.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: schermata blu e riavvio portatile

Messaggioda maux » sab dic 20, 2008 3:25 pm

ora ti dico cosa ho fatto:

1) Appena prima di leggere il tuo ultimo post, stavo ultimando la scansione del pc con Avira ed ho trovato dei Trojan rimossi con successo...ti allego il report finale di Avira

Avira AntiVir Personal
Report file date: sabato 20 dicembre 2008 13:36

Scanning for 1106377 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 3) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: SILVIA

Version information:
BUILD.DAT : 8.2.0.337 16934 Bytes 18/11/2008 13:05:00
AVSCAN.EXE : 8.1.4.10 315649 Bytes 18/11/2008 08:21:26
AVSCAN.DLL : 8.1.4.0 40705 Bytes 26/05/2008 07:56:40
LUKE.DLL : 8.1.4.5 164097 Bytes 12/06/2008 12:44:19
LUKERES.DLL : 8.1.4.0 12033 Bytes 26/05/2008 07:58:52
ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 27/10/2008 11:30:36
ANTIVIR1.VDF : 7.1.0.197 1170432 Bytes 07/12/2008 12:31:08
ANTIVIR2.VDF : 7.1.0.250 342528 Bytes 18/12/2008 12:31:11
ANTIVIR3.VDF : 7.1.1.14 95232 Bytes 19/12/2008 12:31:12
Engineversion : 8.2.0.45
AEVDF.DLL : 8.1.0.6 102772 Bytes 14/10/2008 10:05:56
AESCRIPT.DLL : 8.1.1.19 336252 Bytes 20/12/2008 12:31:21
AESCN.DLL : 8.1.1.5 123251 Bytes 07/11/2008 15:06:41
AERDL.DLL : 8.1.1.3 438645 Bytes 04/11/2008 13:58:38
AEPACK.DLL : 8.1.3.4 393591 Bytes 11/11/2008 09:41:39
AEOFFICE.DLL : 8.1.0.33 196987 Bytes 20/12/2008 12:31:20
AEHEUR.DLL : 8.1.0.75 1524087 Bytes 20/12/2008 12:31:19
AEHELP.DLL : 8.1.2.0 119159 Bytes 20/12/2008 12:31:15
AEGEN.DLL : 8.1.1.8 323956 Bytes 20/12/2008 12:31:15
AEEMU.DLL : 8.1.0.9 393588 Bytes 14/10/2008 10:05:56
AECORE.DLL : 8.1.5.2 172405 Bytes 20/12/2008 12:31:13
AEBB.DLL : 8.1.0.3 53618 Bytes 14/10/2008 10:05:56
AVWINLL.DLL : 1.0.0.12 15105 Bytes 09/07/2008 08:40:05
AVPREF.DLL : 8.0.2.0 38657 Bytes 16/05/2008 09:28:01
AVREP.DLL : 8.0.0.2 98344 Bytes 31/07/2008 12:02:15
AVREG.DLL : 8.0.0.1 33537 Bytes 09/05/2008 11:26:40
AVARKT.DLL : 1.0.0.23 307457 Bytes 12/02/2008 08:29:23
AVEVTLOG.DLL : 8.0.0.16 119041 Bytes 12/06/2008 12:27:49
SQLITE3.DLL : 3.3.17.1 339968 Bytes 22/01/2008 17:28:02
SMTPLIB.DLL : 1.2.0.23 28929 Bytes 12/06/2008 12:49:40
NETNT.DLL : 8.0.0.1 7937 Bytes 25/01/2008 12:05:10
RCIMAGE.DLL : 8.0.0.51 2371841 Bytes 12/06/2008 13:48:07
RCTEXT.DLL : 8.0.52.0 86273 Bytes 27/06/2008 13:34:37

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\programmi\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, D:,
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: sabato 20 dicembre 2008 13:36

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'BTSTAC~1.EXE' - '1' Module(s) have been scanned
Scan process 'BTTray.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'RTHDCPL.exe' - '1' Module(s) have been scanned
Scan process 'AGRSMMSG.exe' - '1' Module(s) have been scanned
Scan process 'GrooveMonitor.exe' - '1' Module(s) have been scanned
Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'jqs.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'btwdins.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!
Boot sector 'D:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '58' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Qoobox\Quarantine\C\WINDOWS\system32\auhjsh.dll.vir
[DETECTION] Is the TR/Monder.abke.6 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\bhkegccw.dll.vir
[DETECTION] Is the TR/Vundo.Gen Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\cynhrktj.dll.vir
[DETECTION] Is the TR/Monder.abke.6 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ehqwib.dll.vir
[DETECTION] Is the TR/Packed.44486 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\fprpsgba.dll.vir
[DETECTION] Is the TR/Packed.44486 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\kfmyrk.dll.vir
[DETECTION] Is the TR/Monder.abke.8 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\kjqbmp.dll.vir
[DETECTION] Is the TR/Monder.abke.4 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljrtuepv.dll.vir
[DETECTION] Is the TR/Monder.abke.4 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\osqtrcgs.dll.vir
[DETECTION] Is the TR/Monder.abke.8 Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\qkerwbjx.dll.vir
[DETECTION] Is the TR/Monder.abtl Trojan
[NOTE] The file was deleted!
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqNgfcB.dll.vir.vir
[DETECTION] Is the TR/Dldr.Agent.atvk Trojan
[NOTE] The file was deleted!
C:\WINDOWS\system32\drivers\sptd.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'


End of the scan: sabato 20 dicembre 2008 13:58
Used time: 21:51 Minute(s)

The scan has been done completely.

2915 Scanning directories
142326 Files were scanned
11 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
11 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
142313 Files not concerned
1195 Archives were scanned
2 Warnings
11 Notes


2) Appena ho trascinato il file CFScript.txt sull'icona di comboFix, è partito comboFix e subito dopo Avira mi ha rilevato un Trojan/virus e l'ha rimosso...in allegato trovi la descrizione del trojan.

combo ha poi proseguito con la scansione e al riavvio del pc ha generato il seguente report:

ComboFix 08-12-18.03 - SilviaS 2008-12-20 14.38.17.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2046.1540 [GMT 1:00]
Eseguito da: c:\documents and settings\SilviaS\Desktop\kit\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\SilviaS\Desktop\CFScript.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
c:\windows\gbaiqoag
c:\windows\system32\drivers\oxugxjvi.sys
c:\windows\system32\ehqwib.dll
.

((((((((((((((((((((((((((((((((((((( Altre eliminazioni )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\gbaiqoag

.
((((((((((((((((((((((((((((((((((((((( Driver/Servizi )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GBAIQOAG
-------\Service_gbaiqoag


((((((((((((((((((((((((( Files Creati Da 2008-11-20 al 2008-12-20 )))))))))))))))))))))))))))))))))))
.

2008-12-20 13:29 . 2008-12-20 13:29 <DIR> d-------- c:\programmi\Avira
2008-12-20 13:29 . 2008-12-20 13:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avira
2008-12-20 13:26 . 2008-12-20 13:26 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avg8
2008-12-20 11:58 . 2008-12-20 11:58 <DIR> d-------- c:\programmi\CCleaner
2008-12-11 18:30 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 18:29 . 2008-12-11 18:30 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\SilviaS\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-12-05 12:08 . 2008-12-05 12:08 324,608 --a------ c:\windows\system32\tuvUKAtr.dll
2008-12-05 12:08 . 2008-12-05 12:08 25,088 --a------ c:\windows\system32\drivers\oxugxjvi.sys
2008-11-30 18:47 . 2008-12-03 13:10 69 --a------ c:\windows\NeroDigital.ini
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 18:01 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2008-12-11 17:26 --------- d-----w c:\programmi\Java
2008-12-11 12:03 --------- d-----w c:\programmi\eMule
2008-11-11 21:48 --------- d-----w c:\programmi\microsoft frontpage
2008-11-10 21:59 --------- d-----w c:\programmi\Windows Media Connect 2
2008-11-10 12:47 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\AdobeUM
2008-11-09 21:51 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-09 21:43 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-09 21:38 --------- d-----w c:\programmi\Lenovo Fingerprint Software
2008-11-09 19:45 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-11-09 19:33 --------- d-----w c:\programmi\Messenger Plus! Live
2008-11-09 19:31 --------- d-----w c:\programmi\Windows Live
2008-11-09 19:30 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-11-09 19:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-11-09 19:19 --------- d-----w c:\programmi\MSBuild
2008-11-09 19:19 --------- d-----w c:\programmi\Microsoft Works
2008-11-09 19:18 --------- d-----w c:\programmi\Microsoft.NET
2008-11-09 19:17 --------- d-----w c:\programmi\Microsoft Visual Studio 8
2008-11-09 19:14 --------- d-----w c:\programmi\DAEMON Tools Lite
2008-11-09 19:12 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-09 19:12 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\DAEMON Tools
2008-11-09 19:11 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-09 19:03 --------- d-----w c:\programmi\File comuni\Ahead
2008-11-09 19:03 --------- d-----w c:\programmi\Ahead
2008-11-09 19:00 --------- d-----w c:\programmi\directx
2008-11-09 18:43 315,392 ----a-w c:\windows\HideWin.exe
2008-11-09 18:43 --------- d-----w c:\programmi\Realtek
2008-11-09 18:22 --------- d-----w c:\programmi\Broadcom
2008-11-09 18:21 --------- d-----w c:\programmi\Lenovo
2008-11-08 23:08 --------- d-----w c:\programmi\Intel
2008-11-08 12:12 --------- d-----w c:\programmi\DIFX
2008-11-08 10:15 --------- d-----w c:\programmi\Servizi in linea
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
.

------- Sigcheck -------

2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:14 510464 9259170d29b5a256735fcb8b80280857 c:\windows\ServicePackFiles\i386\winlogon.exe
2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\SoftwareDistribution\Download\3081fb24ce5c92103d622c497fb2b188\backup\winlogon.exe
2008-11-18 16:07 510464 90f406811ee1eee294792d00e21ca16c c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-21 7585792]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"FingerPrintSoftware"="c:\programmi\Lenovo Fingerprint Software\fpapp.exe" [2007-03-02 933888]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-03-21 c:\windows\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BTTray.lnk - c:\programmi\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-02-27 17:26 131072 c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ehqwib.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-01-19 61440]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-12-11 38496]
S4 AutoExNT;AutoExNT;c:\windows\system32\AutoExNT.Exe []
.
.
------- Supplementare di scansione -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - c:\programmi\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {AB0D04C2-7EFA-45A5-894E-F2E1F539D250} = 192.168.0.1,208.67.222.222
FF - ProfilePath - c:\documents and settings\SilviaS\Dati applicazioni\Mozilla\Firefox\Profiles\iz5bqaon.default\

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 14:42:57
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\ATGinaHook.dll
c:\programmi\Lenovo Fingerprint Software\ATCSSINT.DLL
c:\programmi\Lenovo Fingerprint Software\SharedResources.dll
c:\programmi\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\FpWinLogonNp.dll
.
------------------------ Altri processi in esecuzione ------------------------
.
c:\programmi\Lenovo\Bluetooth Software\bin\btwdins.exe
c:\programmi\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\programmi\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\programmi\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\programmi\Lenovo\Bluetooth Software\BTStackServer.exe


3) Ho attivato l'autoExNT

4) ho eseguito la scansione con MalwareBytes Anti-maleware e non sono strate trovate infezioni.

Sono ancora affetto da qualche trojan o virus?
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo

Re: schermata blu e riavvio portatile

Messaggioda Amantide » sab dic 20, 2008 3:44 pm

ora ti dico cosa ho fatto:

1) Appena prima di leggere il tuo ultimo post, stavo ultimando la scansione del pc con Avira ed ho trovato dei Trojan rimossi con successo...ti allego il report finale di Avira

Tutti i file rimossi da Avira erano i file già rimossi in precedenza da Combofix e pertanto si trovavano nella sui cartella Quarantena.

Ora che hai installato Avira, disinstalla però AVG prima che iniziano a pestarsi i piedi a vicenda.

Crea un'altro file CFScript.txt e trascinalo su Combofix:

Codice: Seleziona tutto
File::
c:\windows\system32\tuvUKAtr.dll
c:\windows\system32\drivers\oxugxjvi.sys



Apri anche il registro di sistema (da Start>> Esegui>> digita REGEDIT e premi Invio, trova la seguente chiave e selezionala:
Codice: Seleziona tutto
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows

Nel riquadro a destra clicca 2 volte sul valore AppInit_DLLs ed in Dato valore elimina questa parola ehqwib.dll
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: schermata blu e riavvio portatile

Messaggioda maux » sab dic 20, 2008 4:14 pm

il log di combo

ComboFix 08-12-18.03 - SilviaS 2008-12-20 16.08.27.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1040.18.2046.1530 [GMT 1:00]
Eseguito da: c:\documents and settings\SilviaS\Desktop\ComboFix.exe
Interruttori di comando utilizzati :: c:\documents and settings\SilviaS\Desktop\CFScript.txt.txt
* Creato nuovo punto di ripristino

ATENÇÃO - ESTA MAQUINA NAO TEM A CONSOLE DE RECUPERAÇÃO INSTALADA !!

FILE ::
c:\windows\system32\drivers\oxugxjvi.sys
c:\windows\system32\tuvUKAtr.dll
.

((((((((((((((((((((((((( Files Creati Da 2008-11-20 al 2008-12-20 )))))))))))))))))))))))))))))))))))
.

2008-12-20 13:29 . 2008-12-20 13:29 <DIR> d-------- c:\programmi\Avira
2008-12-20 13:29 . 2008-12-20 13:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avira
2008-12-20 13:26 . 2008-12-20 13:26 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Avg8
2008-12-20 11:58 . 2008-12-20 11:58 <DIR> d-------- c:\programmi\CCleaner
2008-12-11 18:30 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-11 18:29 . 2008-12-11 18:30 <DIR> d-------- c:\programmi\Malwarebytes' Anti-Malware
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\SilviaS\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-11 18:29 <DIR> d-------- c:\documents and settings\All Users\Dati applicazioni\Malwarebytes
2008-12-11 18:29 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-30 18:47 . 2008-12-03 13:10 69 --a------ c:\windows\NeroDigital.ini
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a------ c:\windows\system32\drivers\mouhid.sys
2008-11-28 11:39 . 2001-08-30 20:41 12,160 --a--c--- c:\windows\system32\dllcache\mouhid.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a------ c:\windows\system32\drivers\hidusb.sys
2008-11-28 11:39 . 2008-04-13 11:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-11 18:01 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Microsoft Help
2008-12-11 17:26 --------- d-----w c:\programmi\Java
2008-12-11 12:03 --------- d-----w c:\programmi\eMule
2008-11-18 15:07 510,464 ----a-w c:\windows\system32\winlogon.exe
2008-11-11 21:48 --------- d-----w c:\programmi\microsoft frontpage
2008-11-10 21:59 --------- d-----w c:\programmi\Windows Media Connect 2
2008-11-10 12:47 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\AdobeUM
2008-11-10 04:43 410,984 ----a-w c:\windows\system32\deploytk.dll
2008-11-09 21:51 --------- d--h--w c:\programmi\InstallShield Installation Information
2008-11-09 21:43 --------- d-----w c:\programmi\File comuni\InstallShield
2008-11-09 21:38 --------- d-----w c:\programmi\Lenovo Fingerprint Software
2008-11-09 19:45 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\Messenger Plus!
2008-11-09 19:33 --------- d-----w c:\programmi\Messenger Plus! Live
2008-11-09 19:31 --------- d-----w c:\programmi\Windows Live
2008-11-09 19:30 --------- dcsh--w c:\programmi\File comuni\WindowsLiveInstaller
2008-11-09 19:24 --------- d-----w c:\documents and settings\All Users\Dati applicazioni\WLInstaller
2008-11-09 19:19 --------- d-----w c:\programmi\MSBuild
2008-11-09 19:19 --------- d-----w c:\programmi\Microsoft Works
2008-11-09 19:18 --------- d-----w c:\programmi\Microsoft.NET
2008-11-09 19:17 --------- d-----w c:\programmi\Microsoft Visual Studio 8
2008-11-09 19:14 --------- d-----w c:\programmi\DAEMON Tools Lite
2008-11-09 19:12 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-11-09 19:12 --------- d-----w c:\documents and settings\SilviaS\Dati applicazioni\DAEMON Tools
2008-11-09 19:11 --------- d-----w c:\programmi\File comuni\Adobe
2008-11-09 19:03 --------- d-----w c:\programmi\File comuni\Ahead
2008-11-09 19:03 --------- d-----w c:\programmi\Ahead
2008-11-09 19:00 --------- d-----w c:\programmi\directx
2008-11-09 18:43 315,392 ----a-w c:\windows\HideWin.exe
2008-11-09 18:43 --------- d-----w c:\programmi\Realtek
2008-11-09 18:22 --------- d-----w c:\programmi\Broadcom
2008-11-09 18:21 --------- d-----w c:\programmi\Lenovo
2008-11-08 23:08 --------- d-----w c:\programmi\Intel
2008-11-08 12:12 --------- d-----w c:\programmi\DIFX
2008-11-08 10:15 --------- d-----w c:\programmi\Servizi in linea
2008-10-24 11:21 455,296 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:04 826,368 ----a-w c:\windows\system32\wininet.dll
2008-10-16 13:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 13:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 13:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 13:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 13:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 13:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 13:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 13:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 13:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 13:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-03 10:02 247,326 ----a-w c:\windows\system32\strmdll.dll
2008-09-23 16:46 245,408 ----a-w c:\windows\system32\unicows.dll
.

------- Sigcheck -------

2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\$NtServicePackUninstall$\winlogon.exe
2008-04-13 19:14 510464 9259170d29b5a256735fcb8b80280857 c:\windows\ServicePackFiles\i386\winlogon.exe
2004-08-19 15:39 504832 4166454e2bcfcc20d1b8a5ac9feab243 c:\windows\SoftwareDistribution\Download\3081fb24ce5c92103d622c497fb2b188\backup\winlogon.exe
2008-11-18 16:07 510464 90f406811ee1eee294792d00e21ca16c c:\windows\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Punti Reg Caricati ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* i valori vuoti & legittimi/default non sono visualizzati.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-21 7585792]
"AzMixerSel"="c:\programmi\Realtek\InstallShield\AzMixerSel.exe" [2006-01-25 53248]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\programmi\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"FingerPrintSoftware"="c:\programmi\Lenovo Fingerprint Software\fpapp.exe" [2007-03-02 933888]
"SunJavaUpdateSched"="c:\programmi\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"avgnt"="c:\programmi\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"nwiz"="nwiz.exe" [2007-03-21 c:\windows\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2006-08-30 c:\windows\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
Avvio veloce di Adobe Reader.lnk - c:\programmi\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
BTTray.lnk - c:\programmi\Lenovo\Bluetooth Software\BTTray.exe [2006-11-13 561213]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ATFUS]
2007-02-27 17:26 131072 c:\windows\system32\FpWinlogonNp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=ehqwib.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Programmi\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Programmi\\eMule\\emule.exe"=

S3 AutoExNT;AutoExNT;c:\windows\system32\AutoExNT.Exe []
S3 FingerprintServer;Fingerprint Server;c:\windows\system32\FpLogonServ.exe [2007-01-19 61440]
.
.
------- Supplementare di scansione -------
.
IE: E&sporta in Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Invia a periferica &Bluetooth... - c:\programmi\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
TCP: {AB0D04C2-7EFA-45A5-894E-F2E1F539D250} = 192.168.0.1,208.67.222.222
FF - ProfilePath - c:\documents and settings\SilviaS\Dati applicazioni\Mozilla\Firefox\Profiles\iz5bqaon.default\

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: yahoo.homepage.dontask - true.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-20 16:09:29
Windows 5.1.2600 Service Pack 3 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\ATGinaHook.dll
c:\programmi\Lenovo Fingerprint Software\ATCSSINT.DLL
c:\programmi\Lenovo Fingerprint Software\SharedResources.dll
c:\programmi\Lenovo Fingerprint Software\FPResource.dll
c:\windows\system32\FpWinLogonNp.dll
.
Ora fine scansione: 2008-12-20 16.10.23
ComboFix-quarantined-files.txt 2008-12-20 15:10:09
ComboFix2.txt 2008-12-20 13:44:50

Pre-Run: 53.103.484.928 byte disponibili
Post-Run: 53,090,516,992 byte disponibili

155 --- E O F --- 2008-12-18 13:35:40


Ho apportato la modifica al regedit
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo

Re: schermata blu e riavvio portatile

Messaggioda Amantide » sab dic 20, 2008 4:47 pm

Ok, ora il pc pare essere apposta [^]
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo

Re: schermata blu e riavvio portatile

Messaggioda maux » sab dic 20, 2008 5:06 pm

Amantide ha scritto:Ok, ora il pc pare essere apposta [^]


purtroppo no [cry]
Avira mi ha appena beccato Il trojan Vundo!! (è riuscito ad eliminarlo) [cry] [cry]

ho rifatto una scansione totale con Avira è mi ha rilevato ed eliminato il seguente file infetto

C:\System Volume Information\_restore{E360B71F-0B75-4580-9402-81B72224B3C5}\RP85\A0052422.sys
[DETECTION] Is the TR/Rootkit.Gen Trojan

é un malware o falso positivo?
Avatar utente
maux
Senior Member
Senior Member
 
Messaggi: 389
Iscritto il: gio feb 16, 2006 2:25 pm
Località: Bergamo

Re: schermata blu e riavvio portatile

Messaggioda Amantide » sab dic 20, 2008 6:01 pm

Sono i file infetti "intrappolati" nel punti di ripristino. Semplicemente disattiva il ripristino configurazione di sistema e riavvia il pc, dopodiché puoi anche riattivarlo.
...per volare alto, bisogna saper cadere...
Avatar utente
Amantide
Membro Ufficiale (Gold)
Membro Ufficiale (Gold)
 
Messaggi: 8126
Iscritto il: lun feb 06, 2006 4:13 pm
Località: Abruzzo


Torna a Sicurezza

Chi c’è in linea

Visitano il forum: Nessuno e 4 ospiti

Powered by phpBB © 2002, 2005, 2007, 2008 phpBB Group
Traduzione Italiana phpBB.it

megalab.it: testata telematica quotidiana registrata al Tribunale di Cosenza n. 22/09 del 13.08.2009, editore Master New Media S.r.l.; © Copyright 2008 Master New Media S.r.l. a socio unico - P.I. 02947530784. GRUPPO EDIZIONI MASTER Spa Tutti i diritti sono riservati. Per la pubblicità: Master Advertising